Skip to main content
SpringerLink
Log in

A Statistical Model for Early Detection of DDoS Attacks on Random Targets in SDN

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Software Defined Networks (SDNs) have accelerated and simplified the management, configuration and error detection in today’s networking systems. However, SDN is prone to some new security threats, the most important of which is its vulnerability to a new generation of Distributed Denial of Service (DDoS) attack in which fake packets target random destinations instead of targeting a single server. In this paper, we show that the existing early detection methods such as entropy- and principal component analysis (PCA)-based methods are not sufficiently capable of detecting this type of attack. Instead, we propose a novel network traffic anomaly detection framework for tackling with DDoS in SDN. Our framework consists of four stages: first, we draw on extensive experiments on an SDN test-bed to analyze the behavior of normal and attack traffic. Second, a statistical trapezoid model is proposed to estimate the number of table misses in the controller. Third, we estimate the threshold of the table misses in regular time intervals using linear regression together with EWMA estimation. In the last stage, we use the derived model as a reference to detect DDoS attacks as anomalous deviations. The evaluation results demonstrate that using this method, one can detect DDoS attacks against an SDN-based network in its early stages, with few false positives, and regardless of the specifics of the attack.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Data Availability

The data used in the paper will be available upon request.

Code Availability

The code will be available after obtaining persmission from the Yazd University.

References

  1. Gao, D., Liu, Z., Liu, Y., Foh, C. H., Zhi, T., & Chao, H. C. (2018). Defending against packet-in messages flooding attack under sdn context. Soft Computing, 22(20), 6797–6809.

    Article  Google Scholar 

  2. Mousavi, S. M., & St-Hilaire, M. (2018). Early detection of ddos attacks against software defined network controllers. Journal of Network and Systems Management, 26(3), 573–591.

    Article  Google Scholar 

  3. Gupta, B., & Badve, O. P. (2017). Taxonomy of dos and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Computing and Applications, 28(12), 3655–3682.

    Article  Google Scholar 

  4. Banitalebi Dehkordi, A., Soltanaghaei, M., & Boroujeni, F. (2021). The DDoS attacks detection through machine learning and statistical methods in SDN. Journal of Supercomputing, 77, 2383–2415.

  5. Kalkan, K., Altay, L., Gür, G., & Alagöz, F. (2018). Jess: Joint entropy-based DDoS defense scheme in SDN. IEEE Journal on Selected Areas in Communications, 36(10), 2358–2372.

    Article  Google Scholar 

  6. Bhushan, K., & Gupta, B. B. (2019). Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. Journal of Ambient Intelligence and Humanized Computing, 10(5), 1985–1997.

  7. Chourishi, D., Miri, A., Milić, M., Ismaeel, S. (2015). Role-based multiple controllers for load balancing and security in SDN. In: 2015 IEEE Canada International Humanitarian Technology Conference (IHTC2015), pp 1–4. IEEE.

  8. Kumar, P., Tripathi, M., Nehra, A., Conti, M., & Lal, C. (2018). Safety: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Transactions on Network and Service Management, 15(4), 1545–1559.

    Article  Google Scholar 

  9. Gao, D., Liu, Z., Liu, Y., Foh, C. H., Zhi, T., & Chao, H. C. (2018). Defending against packet-in messages flooding attack under sdn context. Soft Computing, 22(20), 6797–6809.

  10. Gupta, B., & Badve, O. P. (2017). Taxonomy of dos and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Computing and Applications, 28(12), 3655–3682.

  11. Kalkan, K., Altay, L., Gür, G., & Alagöz, F. (2018). Jess: Joint entropy-based DDoS defense scheme in SDN. IEEE Journal on Selected Areas in Communications, 36(10), 2358–2372.

  12. Kumar, P., Tripathi, M., Nehra, A., Conti, M., & Lal, C. (2018). Safety: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Transactions on Network and Service Management, 15(4), 1545–1559.

  13. Li, R., Wu, B. (2020). Early detection of ddos based on \(\phi\)-entropy in SDN networks. In: 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), vol. 1, pp 731–735. IEEE.

  14. Nugraha, M., Paramita, I., Musa, A., Choi, D., & Cho, B. (2014). Utilizing openflow and sFlow to detect and mitigate SYN flooding attack. Journal of Korea Multimedia Society, 17(8), 988–994.

    Article  Google Scholar 

  15. Mousavi, S. M., & St-Hilaire, M. (2018). Early detection of ddos attacks against software defined network controllers. Journal of Network and Systems Management, 26(3), 573–591.

  16. Behal, S., & Kumar, K. (2017). Detection of DDoS attacks and flash events using novel information theory metrics. Computer Networks, 116, 96–110.

    Article  Google Scholar 

  17. Nugraha, M., Paramita, I., Musa, A., Choi, D., & Cho, B. (2014). Utilizing openflow and sFlow to detect and mitigate SYN flooding attack. Journal of Korea Multimedia Society, 17(8), 988–994.

  18. Piedrahita, A. F. M., Rueda, S., Mattos, D. M., Duarte, O. C. M. (2015). Flowfence: A denial of service defense system for software defined networking. In: 2015 Global Information Infrastructure and Networking Symposium (GIIS), pp 1–6. IEEE.

  19. Bhushan, K., & Gupta, B. B. (2019). Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. Journal of Ambient Intelligence and Humanized Computing, 10(5), 1985–1997.

    Article  Google Scholar 

  20. Galeano-Brajones, J., Carmona-Murillo, J., Valenzuela-Valdés, J. F., & Luna-Valero, F. (2020). Detection and mitigation of DoS and DDoS attacks in IoT-based stateful SDN: An experimental approach. Sensors, 20(3), 816. https://doi.org/10.3390/s20030816.

    Article  Google Scholar 

  21. Banitalebi Dehkordi, A., Soltanaghaei, M., & Boroujeni, F. (2021). The DDoS attacks detection through machine learning and statistical methods in SDN. Journal of Supercomputing, 77, 2383–2415.

    Article  Google Scholar 

  22. AlEroud, A., & Alsmadi, I. (2017). Identifying cyber-attacks on software defined networks: An inference-based intrusion detection approach. Journal of Network and Computer Applications, 80, 152–164.

    Article  Google Scholar 

  23. Shin, S., Yegneswaran, V., Porras, P., Gu, G. (2013). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp 413–424. ACM.

  24. Mininet project team. (2019). http://mininet.org/

  25. Scapy project team. (2019). https://scapy.net/

  26. Ryu project team. (2019). Sdn framework ryu using openflow. https://osrg.github.io/ryu/

  27. Project team, T. (2019). http://tcpreplay.appneta.com/wiki/captures.html

  28. Wang, R., Jia, Z., Ju, L. (2015). An entropy-based distributed DDoS detection mechanism in software-defined networking. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 310–317. IEEE.

  29. Wu, D., Li, J., Das, S. K., Wu, J., Ji, Y., Li, Z. (2018). A novel distributed denial-of-service attack detection scheme for software defined networking environments. In: 2018 IEEE International Conference on Communications (ICC), pp 1–6. IEEE.

  30. Abdi, H., & Williams, L. J. (2010). Principal component analysis. Wiley interdisciplinary reviews: Computational statistics, 2(4), 433–459.

    Article  Google Scholar 

Download references

Acknowledgements

An earlier version of this article has been previously published in the proceedings of the 2020 6th International Conference on Web Research (ICWR), Tehran, Iran, which is made available here: https://ieeexplore.ieee.org/document/9122310. The present article is an extended version.

Funding

No funding.

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Yazd University, Yazd, Iran

    Reza Bakhtiari Shohani & Seyedakbar Mostafavi

  2. Center of Excellence in Future Networks, School of Computer Engineering, Iran University of Science and Technology, Tehran, Iran

    Vesal Hakami

Authors
  1. Reza Bakhtiari Shohani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Seyedakbar Mostafavi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vesal Hakami
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Seyedakbar Mostafavi.

Ethics declarations

Conflict of interest

There is no conflict of interest to declare in this study.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shohani, R.B., Mostafavi, S. & Hakami, V. A Statistical Model for Early Detection of DDoS Attacks on Random Targets in SDN. Wireless Pers Commun 120, 379–400 (2021). https://doi.org/10.1007/s11277-021-08465-5

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-021-08465-5

Keywords

Search

Navigation